b'           Smithsonian Institution\n           Office of the Inspector General\n\n                                              Internal Controls Over Cash Management and\n           In Brief                           Banking Activities\n                                              Report Number M-06-01, February 14, 2006\n\n\nWhy We Did This Study                 What We Found\n\nOur September 2005 audit of the       We confirmed that control weaknesses existed in all three areas examined, which\nInstitution\xe2\x80\x99s bank reconciliation     could expose the Institution to fraudulent transactions and overpayments, and\npractices and three previous          affect the reliability of information in its financial system. Specifically:\nconsultant studies raised concerns\nabout the separation of duties in         \xe2\x80\xa2    Separation of duties. About 60 percent of the employee positions we\nthe Comptroller\xe2\x80\x99s office, access to            reviewed lacked a proper separation of duties. These incompatible duties\nfinancial records, and oversight of            provided employees the opportunity to misappropriate funds for personal\nbanking fees. We examined these                use and to conceal the theft by altering the accounting records. For\nissues to determine whether                    example, employees could (1) transfer funds out of the Institution and\ncorrective actions had been                    control the related recording of those transactions, (2) modify vendor\nimplemented to strengthen                      listings and process payments for vendors, or (3) reconcile and make\ncontrols over cash management                  correcting entries to bank accounts. Also, supervisors did not adequately\nand banking activities. We                     review outgoing wire transfers, increasing the risk that fraud could occur\nreviewed duties and access levels              undetected.\nfor 15 positions in the accounts\npayable, cash management, and             \xe2\x80\xa2    Financial system access. Employees were granted broader access to the\nbank reconciliations groups                    automated financial system of the Institution than was necessary to\nwithin the Comptroller\xe2\x80\x99s office.               perform their job duties, thereby increasing the risk of theft. This occurred\n                                               because access levels in the automated financial system are complicated\nWhat We Recommended                            and understood by few, access was granted to employees without evidence\n                                               of supervisory approval, and managers did not review the appropriateness\nWe made 13 recommendations                     of employee access levels on a regular basis.\ndesigned to ensure the proper\nseparation of duties; strengthen          \xe2\x80\xa2    Monitoring of banking contracts and fees. The Institution paid\nthe review, approval, and                      approximately $340,000 in annual bank fees without adequately\ndocumentation of financial                     determining the validity or appropriateness of the charges. Management\nsystem access levels; and ensure               did not maintain copies of bank agreements or fee schedules and also\nperiodic validation of current                 lacked an internal listing of unit transactions to verify the high volume of\nbank charges as well as a monthly              miscellaneous service fees charged by its largest banking partners.\nanalysis of bank fees under future\nbanking arrangements.\nManagement\xe2\x80\x99s initial\nimplementation plan fully\naddressed our recommendations\nregarding financial system access\nand bank fees. We have been\nworking closely with the Chief\nFinancial Officer and Comptroller\nto ensure appropriate corrective\nactions are taken to address the      For additional information or a copy of the full report, contact the Office of the\nseparation of duties issues.          Inspector General at (202) 275-2244 or visit http://www.si.edu/oig.\n\x0c\x0cIn evaluating controls over cash management and banking activities, we reviewed duties\nand system access levels for 15 positions4 in the accounts payable, cash management, and\nbank reconciliations groups to determine how employees reviewed, processed, and\nrecorded banking and other financial transactions. We also met with Office of the Chief\nInformation Officer (OCIO) representatives and OC managers to determine the process\nfor granting access to areas of the financial system. We assessed how OC monitors fees\npaid to banks to ensure they are in accordance with approved agreements between the\nbanks and the Institution. We did not attempt to detect fraudulent activity by testing\nindividual transactions where we noted internal control weaknesses. Appendix A further\ndescribes our objectives, scope and methodology.\n\nANALYSES AND RECOMMENDATIONS\n\nAs required by Smithsonian Directive 115, units within the Institution must have internal\ncontrols in place to ensure that resources are used in a manner consistent with the\nInstitution\xe2\x80\x99s mission and that programs are protected from waste, fraud, and\nmismanagement. Our review identified three internal control weaknesses that could\nexpose the Institution to fraudulent transactions and overpayments, and affect the\nreliability of information in its financial system:\n\nSeparation of duties. Of the 15 accounts payable, cash management, and bank\nreconciliation positions in OC that we reviewed, 9 individuals (60 percent) could either:\n(a) control the transfer of funds out of the Institution and the related recording of those\ntransactions; (b) modify the approved vendor list and process payments for vendors\nthrough the accounts payable system; or (c) reconcile bank accounts and make correcting\nentries to those accounts. These incompatible duties provide employees the opportunity\nto misappropriate funds for personal use and to conceal the theft by altering the\naccounting records. In addition, in the cash management area, supervisors did not\nadequately review outgoing wire transfers, increasing the risk that fraud could occur\nundetected.\n\nFinancial system access. Of these same 15 employees, 9 were granted broader access to\nthe automated financial system of the Institution than was necessary to perform their job\nduties. As a result, employees could process transactions that were outside their assigned\njob responsibilities, thus increasing the risk of theft. This occurred, in large part, because\n                                                  5\naccess levels in the PeopleSoft financial system are complicated; access was granted to\nemployees without evidence of supervisory approvals; and access levels were not regularly\nreviewed for appropriateness by OC managers.\n\n\n\n\n4\n    The 15 positions included two contractors.\n5\n    Access levels are established in the PeopleSoft financial system by a hierarchy of settings. Roles establish a\n    user\xe2\x80\x99s ability to perform a specific function or task. For each role, there are pre-established permission lists\n    and for each permission list there are established preferences. Roles, permission lists, and preferences can\n    be modified by the OCIO.\n                                                          2\n\x0cMonitoring of banking contracts and fees. The Institution paid approximately $340,000\nin annual bank fees without reviewing the approved bank agreements to establish the\nvalidity or appropriateness of the charges. A 2004 consultant study raised concerns that\nthe Institution may have paid excessive and unusual fees for lockbox and other depository\nservices, which may explain why the Smithsonian was charged higher rates than the\nnational averages for some of the bank services. The Comptroller acknowledges that\noversight of bank service fees has been a longstanding issue, which he has been working to\nresolve since he was hired by the Institution in July 2004. By September 2005, OC had\nobtained copies of the bank agreements for most of the smaller banks. However, it was\nunable to obtain previous fee schedules or a copy of its agreement with its largest banking\npartner, the Bank of America, which accounted for over 80 percent of the annual banking\nservice fees. OC also lacked an internal listing of transactions to verify the accuracy of fees\ncharged by the Bank of America. It was not until the end of this review in\nDecember 2005, that OC obtained a fee schedule for Bank of America to use in future\nanalyses of bank charges.\n\nWe provided management with an informal draft of this report in the latter part of\nNovember 2005 and entered into extensive discussions with the Comptroller on the\nreport findings and compensating controls to mitigate the impacts of the control\nweaknesses we identified. Our findings did not change as a result of these discussions, but\nwe made minor technical changes to the informal draft and refined several\nrecommendations before issuing the formal draft on January 13, 2006.\n\nOn January 27, 2006, management provided us with its formal response to our draft\nreport, which is contained in its entirety in Appendix B. The response indicated\nconcurrence with 10 recommendations, partial concurrence with the remaining 3, and\ndisagreement with several of our conclusions and our characterization of OC staffing\nlevels and banking fees. We carefully reviewed management\xe2\x80\x99s concerns with the report\nand continue to believe our conclusions and characterization of the facts are accurate.\nManagement proposed actions that should strengthen internal controls over system\naccess levels and oversight of bank fees. However, corrective actions proposed by\nmanagement to ensure the proper separation of duties are not fully responsive to our\nrecommendations in this area. A detailed discussion of the internal control weaknesses\nand management\xe2\x80\x99s response to our analysis and recommendations is included in the\nfollowing sections.\n\nCritical Duties are not Adequately Separated within the Office of the Comptroller\n\nThe objective of separating duties is to make certain that employees do not have control\nover multiple phases of a transaction. The Office of Management and Budget\xe2\x80\x99s Circular\nA-123, Management\xe2\x80\x99s Responsibility for Internal Control, states that key duties and\nresponsibilities for authorizing, processing, recording, and reviewing official agency\ntransactions should be separated among individuals. When there is a good separation of\nduties, fraud cannot occur undetected unless there is collusion between two or more\nemployees. Therefore, managers should ensure that individuals are not assigned\nincompatible duties that give them control over multiple phases of a transaction.\nManagers, themselves, also should not have the capability to authorize, process, and\n                                              3\n\x0creview the same transactions.\n\nOur evaluation disclosed that 9 or 60 percent of the 15 employees sampled performed\nduties that allowed them to control multiple phases of a transaction. As discussed below,\nthese employees were divided among the cash management, accounts payable, and bank\nreconciliations areas of OC under the Financial Analysis and Reporting Division and\nFinancial Information Processing Division.\n\n   \xe2\x80\xa2   In the cash management group, two employees, who annually execute tens of\n       millions of dollars in wire transfers, are responsible for both executing the\n       transfers and recording them in the accounting system. This arrangement\n       provides the opportunity to execute wire transfers to fictitious payees and then\n       conceal the identity of the true payee(s). For example, employees can send a wire\n       to their own account and then improperly record it as a payment to a vendor or\n       other bank account. The person reconciling the bank account would likely not\n       detect this fraud because the amount recorded in the ledger would correspond to\n       the amount paid by the bank. This is of particular concern because employees\n       can wire (over the phone or by Internet) millions of dollars without verification or\n       approval from the supervisor prior to the bank\xe2\x80\x99s execution of the transaction.\n       Also, few limits have been established for the dollar amount and number of wires\n       that can be initiated each day. The Cash Management Officer told us that he\n       began to approve some Internet wires in November 2005. While this is a good\n       first step, we believe that wires transacted over the phone should also be approved\n       before funds are transferred. Further, wires in excess of $1 million should be\n       approved by progressively higher levels of authority, such as the Manager of the\n       Financial Information Processing Division and the Comptroller. These approval\n       levels should be communicated to the banks as a requisite for accepting the\n       transfers, and OC should conduct periodic reviews of the support and approvals\n       for wire transfers and approval limits.\n\n   \xe2\x80\xa2   The accounts payable manager and two other employees in accounts payable can\n       authorize the processing of payments approved by the units, review accounts\n       payable transactions, and create and adjust vendor files in the financial system.\n       The accounts payable manager told us that he had both recorded and approved\n       entries in the financial system either when employees were absent or to meet\n       workload demands during peak periods. Because of these privileges, the accounts\n       payable manager could direct payments to a fictitious vendor and conceal the\n       transaction by altering the accounting records. The two other accounts payable\n       employees were assigned access levels that became inappropriate after their duties\n       changed. One of these individuals did not have his accounts payable access\n       removed when he was reassigned vendor maintenance responsibilities. The other\n       individual was a contract employee who was rotated among various duties\n       without modifying her access levels. Because system access levels of these\n       employees were not reviewed and modified after their duties changed, these\n       individuals could both access vendor maintenance files and schedule vendor\n       payments.\n\n\n                                            4\n\x0c      \xe2\x80\xa2    Four employees in the bank reconciliations group are responsible for reconciling\n           bank accounts and correcting accounting records. In our recent audit of bank\n           reconciliations, we found one of these employees had both performed the\n           reconciliation and cleared reconciling items for the CIGNA account. These\n           incompatible responsibilities would allow this employee to force bank account\n           reconciliations into balance with the accounting records through improper entries\n           into the accounting system. Subsequently, the Institution dropped CIGNA as its\n           medical provider.\n\nThe lack of proper controls was previously reported in a 2004 PricewaterhouseCoopers\n          6\nLLP study. The study identified a lack of separation of duties within OC, noting instances\nwhere the same individual was preparing and posting journal entries, and the absence of\nsupervisory review of the entries. The consultant concluded that the focus of the office\nwas on processing transactions rather than on controlling those processes to ensure that\ninformation was properly recorded and reviewed. The study advised OC that it should\nimplement a policy where all journal entries are reviewed and signed by a supervisor. We\nagreed that all journal entries should be reviewed and approved. In discussing this issue\nwith the Comptroller, he indicated that available resources were insufficient to review\nevery journal entry. Recognizing these constraints, at a minimum, the Comptroller\nshould ensure that non-routine journal entries as well as those in excess of $100,000 are\nreviewed and approved.\n\nThe consultant also suggested as a best practice that the Institution\xe2\x80\x99s Office of the\nTreasurer assume responsibility for wire transfers and bank callback verification\nprocedures, and that limits be set on the amount of money that can be transferred\nwithout additional review. Subsequently, the Institution elected not to shift these\nresponsibilities to the Office of the Treasurer because it believed it had adequate\nmitigating controls in place and that the related accounting function would be better\nmanaged in OC. Because, as discussed above, adequate controls over wire transfers were\nnot in place, we are recommending a series of actions that should strengthen oversight of\nwire transfers should the Institution keep this function within OC.\n\nIn addition to the consultant\xe2\x80\x99s observations, we found the inadequate separation of duties\nwithin OC has, in large part, resulted from multiyear budget reductions. According to the\nComptroller, at the start of FY 2002 OC had about 90 employees. Due to staff reductions\nand transfers to other units, staffing levels had declined by the end of fiscal year 2005 to\nabout 47 employees. To compensate for staffing shortages supervisors have had to review,\nrecord, and process transactions to meet workload demands.\n\nThe staffing shortages also have caused OC to rely heavily on contractors, which has\nweakened the control environment. Further, the high turnover of contract staff created\nvacancies in critical positions, requiring permanent employees to perform multiple phases\nof transactions as well as expend scarce resources to train temporary staff. For example,\nin an attempt to balance the workload, three employees assigned bank reconciliation\nduties were given access to the accounts payable module to process intragovernmental\n\n6\n    Smithsonian Institution Internal Controls Review \xe2\x80\x93 Phase II, PricewaterhouseCoopers LLP, December 2004.\n                                                      5\n\x0cpayments and collections. This access allowed them to process all types of accounts\npayable transactions outside of the accounts payable supervisory review process.\n\nOC\xe2\x80\x99s heavy reliance on contract staff was highlighted as an area for improvement in Booz\nAllen Hamilton\xe2\x80\x99s Focused Workforce Analysis report7, which noted that the Institution\nwould benefit from replacing some of its contractors with permanent staff. The\nconsultant reported that the current financial management workload exceeded workforce\nresources, and that the Institution needed to define the number of staff required to\nadequately perform financial roles within the Institution.\n\nThe Comptroller acknowledges that his office\xe2\x80\x99s reliance on contractors had resulted in\nmany data entry errors, and he is taking steps to mitigate this situation. Senior managers,\nthrough the Workforce Hiring Action Plan process, have strengthened the Office of the\nComptroller\xe2\x80\x99s staffing by converting four positions from contract to permanent staff,\nadding three new positions, and upgrading another position. In September 2005, the\nComptroller hired a Cash Management Officer who has started approving some of the\nwire transfers from the Institution\xe2\x80\x99s bank accounts. However, this practice has not been\nformalized in OC written procedures, and not all wire transfers are approved by the Cash\nManagement Officer. Further, despite the additional positions, in our view, the staffing\nlevels in OC are still inadequate to manage the workload.\n\nRECOMMENDATIONS\n\nGiven the increased emphasis on internal controls by the Office of Management and\nBudget, and the potential for significant losses through wire transfers, we recommend the\nChief Financial Officer (CFO):\n\n       1. Review functions currently performed within OC and take steps to ensure that\n          employees do not have control over multiple phases of a transaction, consistent\n          with SD 115.\n\n       2. Require the Cash Management Officer to approve all outgoing wire transfers\n          before funds are transmitted. In addition, require that wire transfers in excess of\n          $1 million be approved by the Manager of the Financial Information Processing\n          Division and those over $10 million be approved by the Comptroller, or in their\n          absences by designated alternates.\n\n       3. Instruct the banks not to accept wire transfers from the Institution\xe2\x80\x99s bank\n          accounts without authorization from the Cash Management Officer, the Manager\n          of Financial Information Processing Division or the Comptroller, or in their\n          absences by designated alternates.\n\n\n       4. Require a monthly review of wire transfers to ensure they are properly supported\n          and approved.\n\n7\n    Focused Workforce Analysis, Booz Allen Hamilton, September 2005.\n                                                     6\n\x0c       5. Ensure that non-routine journal entries as well as those over $100,000 are\n          reviewed and approved by a supervisor.\n\nSystem Access Levels were Granted in Excess of Job Responsibilities\n\nIn April 2005, PricewaterhouseCoopers issued a report8 summarizing the results of its\nreview of security controls associated with the Institution\xe2\x80\x99s financial system (PeopleSoft).\nAfter reviewing approximately 1,200 Institution-wide accounts, PricewaterhouseCoopers\nfound that individuals in OC and OCIO had been granted inappropriate access to\ndifferent sections of the production environment, such as vendor management or\naccounts payable, based on their respective job positions or responsibilities. This\noccurred due to the complexity of PeopleSoft roles and permission lists.\n\nIn response to the report, the Comptroller, in coordination with OCIO, removed \xe2\x80\x9csystem\nadministrator\xe2\x80\x9d access for a small subset of employees, and a number of queries were\ndeveloped to facilitate periodic review of user access. Nonetheless, our review disclosed\nthat 9, or 60 percent, of the 15 staff in OC sampled still had access to areas of the financial\nreporting system that were incompatible with their primary job responsibilities. For\nexample, three employees in the accounts payable group had access to both vendor\nmaintenance and vouchers payable sections of the financial system, which could allow\nfictitious payments to be processed and concealed. In addition, four employees in the\nbank reconciliations group who were responsible for reconciling bank statements had\naccess to the general ledger, which could allow them to improperly modify the accounting\nrecords.\n\nWe also found that the OC manager for accounting systems integration was granting\nsystem access to OC staff without evaluating whether access levels were compatible with\nemployee job duties. The manager told us he was not trained on the configuration of\nsecurity access levels within the PeopleSoft financial system and has not been provided\ninformation on job duties that would allow him to determine where responsibilities are\nincompatible with system access.\n\nThe security access form used to assign system permissions also does not clearly define\naccess permissions being requested. For this reason, the manager relies on employees\xe2\x80\x99\ndirect supervisors to perform that review, and only signs the security access forms because\nhis predecessor signed them. However, we found no evidence that supervisors reviewed\nand approved systems access requests.\n\nThe manager also did not keep copies of the approved system access forms sent to OCIO,\nor periodically review access profiles. Smithsonian Directive 301 requires, at a minimum,\nthat unit managers review user access profiles at least annually or when employees change\nduties to ensure appropriate roles and responsibilities are assigned to each user in the\nfinancial system. Despite this requirement and several requests from OCIO, OC had not\nprovided OCIO with a list of its employees who should have their system access levels\n\n8\n    Security Review and Penetration Testing of Financial Systems, PricewaterhouseCoopers LLP, April 2005.\n                                                       7\n\x0cmodified.\nIn addition, the manager told us that he does not approve all user systems access requests.\nUser access requests for the purchasing and budget areas of the financial system are\napproved by the Office of Contracting and the Office of Planning, Management and\nBudget. These units, with the assistance of an OCIO employee, were evaluating whether\nsystem access requests for purchasing and budgeting functions were creating separation-\nof-duty conflicts. We determined this evaluation process was not always effective in\nidentifying potential conflicts. For example, employees provided access to the budgeting\nmodule of PeopleSoft should not have access to the purchasing module because it could\nenable them to make unbudgeted purchases and then mask them by changing the budget\nrecords.\n\nRECOMMENDATIONS\n\nTo ensure the Institution has implemented access controls for its financial system that\nmore properly reflect user responsibilities, we recommend the CFO:\n\n   6. Require OC supervisors to review and sign system access forms before they are\n      sent to OC\xe2\x80\x99s manager for systems integration to ensure that OC employees are\n      granted only the access needed to perform their jobs.\n\n   7. Require the systems integration manager retain approved system access requests;\n      and as required by Smithsonian Directive 301, annually review the\n      appropriateness of system access levels granted OC employees and work with\n      OCIO to modify access levels, where appropriate. Because OC had not provided\n      OCIO a list of needed system access modifications for its employees, OC should\n      do so no later than 30 days from the date of this report.\n\n   8. Assign responsibility for reviewing separation of duties related to PeopleSoft\n      system access levels between the various CFO departments to ensure that no one\n      individual can control multiple phases of a transaction.\n\n   9. Ensure that the financial systems integration manager is provided adequate\n      information, training, and support from OC and OCIO on PeopleSoft financial\n      system access levels and employee job duties to allow him to appropriately\n      evaluate system access requests.\n\nWe recommend the Chief Information Officer:\n\n   10. Work with OC to more clearly define system access levels, roles, and permissions\n       for OC staff and revise access forms to better describe the respective financial\n       system access levels.\n\n\n\n\n                                             8\n\x0cBanking Fees were Paid without Ensuring their Validity or Reasonableness\n\nAn important component of cash management is proper oversight of banking fees. We\nfound that the OC had been paying approximately $340,000 annually for numerous\nbanking fees without adequately determining the validity or reasonableness of the fees.\nOC could not conduct fee reviews because it did not maintain records of the approved\nagreements with the banks. The bank agreements also were not retained by the Office of\nContracting or the Treasurer.\n\nThe lack of documentation to monitor bank fees is troubling in light of fee irregularities\nidentified by an October 2004 study by Mitchell & Titus, LLP.9 The consultants reported\nthey found disturbing the number of fees assessed for what appeared to be the same\ntransactions. For example, the Smithsonian was billed multiple fees by both Riggs Bank\n(now PNC) and Bank of America for receiving, depositing and recording checks received\nin lockboxes. Mitchell and Titus also reported that both banks, combined, charged\n63 types of miscellaneous service fees that were outside of industry norms. Additionally,\nit identified unusual billings for excessively high volumes of inquiries for information.\nFor example, the Smithsonian was charged for inquiry fees based on an activity level of\nabout 17,000 inquiries monthly. The consultants reported that \xe2\x80\x9cthe Smithsonian was also\nbilled unexpected charges for walk-in deposit fees on lockboxes and other questionable\nservices, such as negotiability reviews and deposit preparation.\xe2\x80\x9d\n\nIn looking at the high volume of miscellaneous fees that the Bank of America charged the\nInstitution, we noted that the units were directly ordering services from the banks without\napproval from OC. These services included inquiries, photocopying, and other\nmiscellaneous services. Because these services were charged on a per-transaction basis,\nunit actions contributed to a higher level of monthly service charges. We also found that\nOC had no independent source of information, such as an internal transaction-level\nlisting, to verify or analyze the number of unit transactions being charged or to identify\nwhich units were responsible for the transactions. Absent detailed activity-level data, the\nComptroller could not determine which units were ordering banking services and thus\nmissed an opportunity to reduce operating costs. To address this, the Comptroller told us\nhe plans to direct the banks to either not accept or to limit the miscellaneous services they\nprovide to the units.\n\nIn September 2004, OC requested copies of the current agreements from the banks. OC\nsubsequently acquired many of the banking agreements for the smaller banks and most\nrecently the fee schedule from the Bank of America, the Institution\xe2\x80\x99s largest banking\npartner. However, neither the Bank of America nor the Comptroller could ultimately\nproduce a copy of any contract or previous fee schedule, which is needed to determine\nwhether previous payments to Bank of America were appropriate. However, with the\ncurrent fee schedule the Comptroller should be able to review the validity and\nreasonableness of future charges.\n\n\n\n\n9\n    Assessment of Banking Relationships and Cash Management Practices, Mitchell & Titus, LLP, October 2004.\n                                                      9\n\x0cRECOMMENDATIONS\n\nWe recommend the CFO:\n\n   11. At least quarterly, verify that charges for banking services are valid and reasonable\n       in accordance with the Institution\xe2\x80\x99s current agreements with the banks. Ensure a\n       provision is incorporated into future banking agreements to allow for a monthly\n       analysis of bank fees.\n\n   12. Direct the Institution\xe2\x80\x99s current banking partners to either reject or limit\n       miscellaneous services provided to the units until new banking arrangements are\n       established.\n\n   13. Formalize the controls recommended to OC in this report into a written policy to\n       ensure current and future OC employees have appropriate operating guidance and\n       to better document controls over cash management and other financial\n       management activities.\n\nMANAGEMENT COMMENTS AND OFFICE OF INSPECTOR GENERAL\nRESPONSE\n\nWe provided management with an informal draft of this report in November 2005 and\nentered into extensive discussions with the Comptroller on the report findings and\ncompensating controls to mitigate the impacts of the control weaknesses we identified.\nOur findings did not change as a result of these discussions, but we made minor technical\nchanges and refined several recommendations before issuing the formal draft on January\n13, 2006.\n\nOn January 27, 2006, management officials provided formal written comments indicating\ndisagreement with several of our conclusions and the report\xe2\x80\x99s characterization of OC\nstaffing levels and banking fees. Specifically, management disagreed that individuals\nperforming bank reconciliations should be restricted from having general ledger access to\nthose accounts based on current staffing limitations and its confidence in existing\nprocesses. Management also expressed concern that the report did not explain that OC\nperformed bank reconciliations and cleared reconciling items for the Institution\xe2\x80\x99s CIGNA\naccount because the Office of Human Resources (OHR) had ceased to perform this\nfunction. Further, management disagreed that the Comptroller\xe2\x80\x99s monitoring of bank\ncontracts and fees was weak given his professional experience and the extensive analyses\nhe performed of the fees. Management also believed the report inaccurately described\nbank charges for inquiries.\n\nWe carefully reviewed management\xe2\x80\x99s concerns with the report and continue to believe\nour conclusions and characterizations of the facts are accurate and appropriate. Although\nmanagement asserts that our report contains \xe2\x80\x9cserious inaccuracies,\xe2\x80\x9d we correctly reported\nthat five employees were assigned to the bank reconciliation function in OC. The sixth\nperson performing bank reconciliations was a contractor and not an employee. We also\nreported that 32 individuals were performing other functions based upon a\n                                            10\n\x0cNovember 2005 staff roster provided by the CFO. We do not believe there are\ninaccuracies or that they are serious.\n\nFurther, contrary to management\xe2\x80\x99s assertion, employees performing bank reconciliations\nshould be restricted from access to the accounts they are reviewing to ensure they do not\nforce reconciliations into balance with the accounting records. Separation of duties is\nneeded so that one individual is not in a position to both perpetrate and conceal errors or\nfraud in the normal course of his or her duties. This is not to say that the same employees\nshould not have access to other non-conflicting areas of the general ledger.\n\nManagement believes it has deployed compensating controls where resource constraints\nhave compromised its ability to separate duties. However, we saw limited evidence of\ncompensating controls, such as reviews of detailed transactions initiated by staff or\nreviews of supporting documents for a sample of transactions, which, in our opinion,\nwould adequately address the lack of segregation of duties. Further, relying solely on\ncompensating controls is less desirable than establishing separation of duties because\ncompensating controls ordinarily occur after transactions are complete. It takes more\nresources to investigate and correct errors, and recover losses, than it does to prevent\nthem.\n\nConcern over the report\xe2\x80\x99s failure to mention OHR\xe2\x80\x99s responsibility for reconciling the\nCIGNA account was not raised by the Comptroller in prior discussions on earlier drafts.\nThe fact that OC staff cleared reconciling items for the CIGNA account because OHR\nceased to perform this function also does not negate the need for proper controls over\nreconciliations of this account.\n\nFinally, we believe the Comptroller did not adequately review bank fees because he simply\nlacked the information to do so. For example, the Comptroller did not have copies of the\nbank agreements to show what agreed-upon fees were to be charged the Smithsonian as\nwell as internal activity reports indicating the types of services rendered and the frequency\nof inquiries being made by the units. As a result, the Comptroller did not know how\nmany times each unit was requesting services or products from the banks to verify that\nthe charges were valid and reasonable. Further, 63 types of fees charged the Institution\nwere not tracked nationally, leaving the Comptroller no benchmarks against which to\nassess the reasonableness of fees charged the Institution. Many of the bank fee issues were\nalso noted in the October 2004 Mitchell & Titus report on the Institution\xe2\x80\x99s cash\nmanagement practices, which concluded there were opportunities for significant savings\nin the bank services area.\n\nManagement also disagreed that the large volume of fees for information services were a\nreflection of individual unit inquiries. We believe this statement is inconsistent with\nactions the OC staff took to reduce unit inquiries. According to the Manager of the\nFinancial Information Processing Division, in early 2005, OC instructed the units to stop\nmaking inquiries of the banks. In December 2005, the Comptroller told us he was going\nto instruct the banks not to accept unit inquiries, and, in January 2006, the Comptroller\nprovided written acknowledgement to us that he \xe2\x80\x9cwould support an OIG\nrecommendation to cease unauthorized unit activity.\xe2\x80\x9d\n                                             11\n\x0cOf the 13 report recommendations, management concurred with 10 and partially\nconcurred with 3. While corrective actions proposed by management were generally\nresponsive to the recommendations, we believe that additional actions are needed on five\nrecommendations before we can consider them fully resolved. Management\xe2\x80\x99s response to\nour recommendations and our evaluation of their planned actions are discussed below.\n\nSeparation of Duties\n\nWe made five recommendations to address the lack of separation of duties in OC.\nManagement concurred with recommendations 1 and 3, and partially concurred with\nrecommendations 2, 4, and 5. We believe that management\xe2\x80\x99s response in some areas\nreflects a misinterpretation of the control weaknesses underlying the recommendations.\nIn our view, the proposed actions are not fully responsive to any of the five\nrecommendations.\n\nRecommendation 1. The Comptroller agreed to review the separation of duties among\nhis employees and ensure compliance with SD 115 by February 13, 2006. However, he\nwill not restrict general ledger access to accountants involved with the bank reconciliation\nprocess. He stated that accountants have other duties in OC requiring general ledger\naccess, and a separation of duties is not warranted given that compensating controls are in\nplace.\n\nWe recognize that OC accountants may have other responsibilities requiring general\nledger access. We are recommending only that they not be given ledger access to those\naccounts they are responsible for reconciling. Because OC is planning to hire several\nmore employees in 2006, we believe it could use these resources to reassign duties and\nfunctions to address this control weakness.\n\nFurther, although management states there are compensating controls to mitigate the lack\nof separation of duties, the Comptroller did not provide details of these controls to the\nauditors. We acknowledge that OC now performs monthly bank reconciliations, but\nbank reconciliations are merely a detective (after-the-fact) control and do not prevent\ntheft of the Institution\xe2\x80\x99s assets. Therefore, we are requesting the Comptroller either\ndescribe the compensating controls he has implemented to resolve this issue or explain\nhow he plans to use new hires in 2006 to provide the proper separation of duties.\n\nRecommendation 2. The Cash Management Officer will approve all wire transfers before\nfunds are transmitted, but the Comptroller does not agree that transfers in excess of\n$1 million should be reviewed by higher-level managers. He believes unit approval of\nthese transactions is sufficient.\n\nWe believe that the Comptroller may have misunderstood our recommendation. We\nagree that units budget-checking and approving wire transfers before they are sent to OC\nfor processing will enhance internal controls. However, because OC employees can both\nexecute wire transfers and record them in the accounting system without review by a\nhigher-level supervisor, they can create \xe2\x80\x9cfictitious\xe2\x80\x9d wire transfers that are not generated by\n                                             12\n\x0cthe units. For example, employees can transfer money to their own accounts or to a\nfictitious payee and improperly record it as a payment to a valid vendor in the accounting\nrecords.\n\nWe do not believe that outgoing wires in amounts over $1 million should be entirely\nunder the control of one manager in OC. The risk of loss is high because cash is a liquid\nasset vulnerable to theft, and cash transfers by wires allow an instantaneous transfer of\nfunds. While it is possible that this type of fraud may eventually be detected, funds could\nbe lost and it would be very difficult to recover them once misappropriated.\n\nOur recommendation is consistent with recent guidance on internal controls and a prior\nconsultant study. According to the October 2005 Treadway Commission exposure draft\non internal controls,10 as dollar thresholds increase, additional approvals from senior\nlevels of management are required. In addition, PricewaterhouseCoopers, in its 2004\nreport on the Institution\xe2\x80\x99s internal controls also recommended that specific limits be\nestablished for signing authority on bank transfers.\n\nThe Comptroller or his designee should be reviewing wire transfers in excess of\n$10 million and the Division Manager or her designee should be reviewing transfers over\n$1 million to reduce the risk of fraudulent transactions. We do not believe this is unduly\nburdensome because OC staff told us they transmit an average of two wires over\n$10 million monthly. Due to the high risk of loss in this area, we do not consider the\ncorrective action proposed to be fully responsive to the recommendation.\n\nRecommendation 3. The Comptroller agreed to instruct the Institution\xe2\x80\x99s banks to not\naccept any wire transfers without authorization from the Cash Management Officer. This\naction is not fully responsive to our recommendation because it does not address higher-\nlevel authorizations for bank acceptance of large dollar wire transfers. The Comptroller or\nhis designee should be authorizing wire transfers in excess of $10 million and the Division\nManager or her designee should be authorizing transfers over $1 million to reduce the\nrisk of fraudulent transactions.\n\nRecommendation 4. In lieu of implementing the recommendation, the Comptroller\nproposes strengthening unit authorizations of wire transfers before they are sent to OC\nfor processing. The Comptroller does not believe additional monthly reviews of wire\ntransfers made by OC are necessary because OC only processes wire payments for\nproperly approved transactions. As discussed in our response to recommendation 2, the\naction proposed by the Comptroller will not mitigate the control weakness we reported as\nit does not provide a mechanism for detecting whether OC employees have created\nfraudulent wire transfers or transferred funds to fictitious vendors. A sampling of\noutgoing wires should not be onerous, and we believe the benefit of this control far\noutweighs its cost.\n\n\n\n10\n     Internal Control - Integrated Framework, Guidance for Smaller Public Companies Reporting on Internal\n     Controls over Financial Reporting, the Committee of Sponsoring Organizations of the Treadway\n     Commission, October 2005.\n                                                       13\n\x0cRecommendation 5. Instead of reviewing journal entries in excess of $100,000 as\nrecommended, the Comptroller agreed to review a sample of journal entries for proper\ndocumentation and support on a quarterly basis as part of his ongoing compliance efforts.\n He stated there is considerable activity in journal entries at the $100,000 and above level\nof materiality, and he does not have adequate staff to review those transactions. He also\nindicated that \xe2\x80\x9cOC divisional managers are well informed as to non-routine\nactivities\xe2\x80\xa6and are actively engaged in the proper recording of these items.\xe2\x80\x9d\nWe do not share the Comptroller\xe2\x80\x99s confidence in the proper recording of journal entries\nbecause of errors we found during our 2005 audit of bank reconciliations. We reported\nthat $9.4 million or 76 percent of the reconciling items sampled were caused by errors\nmade in data entry and that the majority (90 percent) of these errors were made by OC.11\nFurther, PricewaterhouseCoopers, in its report on internal controls, also recommended\nthat all journal entries be reviewed and approved by a supervisor in OC\xe2\x80\x99s Financial\nAnalysis and Reporting Division.\n\nWe believe that if journal entries were subject to better review and approval, the\nInstitution could more readily implement quarterly financial reporting. If the\nComptroller has a reasonable alternative to the $100,000 threshold we proposed, we are\nopen to his suggestions. However, the response provided does not satisfactorily address\nthe recommendation.\n\nSystem Access Levels\n\nManagement concurred with recommendations 6, 7, 8, 9, and 10. OC supervisors will be\ninstructed to review and sign all access forms for OC and the Comptroller will review all\nchanges to OC employee system access. The Comptroller will also formalize and\ndocument the annual review of the appropriateness of system access levels granted to OC\nemployees and work with the OCIO to modify access levels, where appropriate. Further,\nthe CFO will assign responsibility for reviewing separation of duties related to the\nPeopleSoft system access levels between the various CFO departments and provide the\nfinancial systems integration manager with adequate information, training and support to\nallow him to appropriately evaluate system access requests. We believe these proposed\nactions should resolve the issues underlying the recommendations.\n\nOversight of Bank Fees\n\nManagement concurred with recommendations 11, 12, and 13. The Comptroller will\nensure that charges for banking services are valid and reasonable and that future\nagreements allow for a monthly analysis of fees. He will also direct the Institution\xe2\x80\x99s\ncurrent banking partners to either reject or limit miscellaneous services provided to units\nand will establish a written policy to document controls put into place as a result of this\nreport. We believe these proposed actions are responsive and should address the issues\nidentified in our report\n\n\n\n\n11\n     Audit of Bank Reconciliations, Office of the Inspector General, September 28, 2005.\n                                                        14\n\x0cACTIONS REQUIRED\n\nBecause corrective actions proposed for recommendations 1, 2, 3, 4, and 5 will not fully\nresolve the issues identified, we would appreciate receiving your written plans for\nresolving these open recommendations within 30 days from the date of this report. You\nmay provide alternative courses of action that you believe would resolve the issues\npresented in this report.\n\nWe appreciate the courtesies and cooperation of Smithsonian representatives during this\nreview. If you have any questions concerning this report, please call me at (202) 275-2154\nor Stuart Metzger at (202) 275-2159.\n\n\n\n\n                                           15\n\x0cAPPENDIX A. OBJECTIVES, SCOPE AND METHODOLOGY\n\nThe objectives of our review were to evaluate internal controls in the Office of the\nComptroller over separation of duties, access to financial records, and oversight of\nbanking fees. In evaluating controls over cash management and banking activities, we\nreviewed duties and system access levels for 15 of 55 employee and contractor positions12\nin the accounts payable, cash management, and bank reconciliations groups to determine\nhow employees reviewed, processed, and recorded banking and other financial\ntransactions. We did not attempt to detect fraudulent activity by testing individual\ntransactions where we noted internal control weaknesses. We conducted our review in\nWashington, D.C. from October 2005 to December 2005 in accordance with Government\nAuditing Standards as prescribed by the Comptroller General of the United States.\n\nSeparation of Duties in the Office of the Comptroller\n\nIn determining whether employee duties were properly separated in OC, we reviewed two\nstudies issued in 2004 and 2005 conducted by PricewaterhouseCoopers, LLP. We also\nreviewed a 2005 workforce analysis study of financial management resources by Booz\nAllen Hamilton.13 We assessed the separation of duties for 15 positions in the Financial\nAnalysis and Reporting Division and the Financial Information Processing Division to\ndetermine whether employees could both access assets and accounting records. These\npositions were responsible for accounts payable, cash management, and bank\nreconciliations functions within OC. We reviewed accounts payable positions to\ndetermine how vendor information could be modified and how payment vouchers were\ncreated in the financial system. We reviewed bank reconciliation positions to determine if\nemployees could reconcile accounts and also post entries to the general ledger, which\nwould increase the risk of improper recording of accounting entries.\n\nWe also reviewed cash management positions and met with staff in OC\xe2\x80\x99s cash\nmanagement department and the Office of the Treasurer to discuss procedures for\ntransferring money electronically between the United States Treasury, the Institution, and\namong two of the Institution\xe2\x80\x99s bank accounts. In addition, we observed employees as\nthey processed on-line electronic funds transfer requests to the United States Treasury\nand two banks, noting internal control features and weaknesses.\n\nSystem Access Levels\n\nTo evaluate employee system access capabilities, we obtained a list from OCIO of all OC\npersonnel having PeopleSoft access privileges, and judgmentally sampled 15 employee\npositions from the accounts payable, cash management, and bank reconciliations groups\nfor analysis of systems access controls. We evaluated whether user access rights were\n\n12\n     The 15 positions included two contractors.\n13\n     Smithsonian Institution Internal Controls Review \xe2\x80\x93 Phase II, PricewaterhouseCoopers LLP, December 2004;\n     Security Review and Penetration Testing of Financial Systems, PricewaterhouseCoopers LLP, April 2005;\n     Assessment of Banking Relationships and Cash Management Practices, Mitchell & Titus, LLP, October 2004;\n     and Focused Workforce Analysis, Booz Allen Hamilton, September 2005.\n                                                      16\n\x0cappropriate for the 15 positions, and whether the job duties and access rights were\nconsistent with good internal control measures. We verified user access levels through\ndiscussions with the OCIO technical staff. We also observed users\xe2\x80\x99 financial system access\nlevels in PeopleSoft when they logged onto the system and determined what features were\navailable to them on-line.\n\nValidity of Bank Fees\n\nIn assessing the Institution\xe2\x80\x99s oversight of bank fees, we reviewed a 2004 study by Mitchell\nand Titus, LLC, met with consultant representatives, and interviewed OC personnel to\ndiscuss OC\xe2\x80\x99s policies and practices with respect to bank fees. We also reviewed bank\nagreements and fee schedules that OC was able to provide us; however, we could not\nassess the validity of the fees charged the Institution because OC lacked detailed\ntransaction reports, bank agreements, and prior-period fee schedules.\n\n\n\n\n                                            17\n\x0cAPPENDIX B. MANAGEMENT COMMENTS\n\n\n\n\n                        18\n\x0cAPPENDIX B. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                        19\n\x0cAPPENDIX B. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                        20\n\x0cAPPENDIX B. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                        21\n\x0cAPPENDIX B. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                        22\n\x0cAPPENDIX B. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                        23\n\x0c'